Collect Mimecast Secure Email Gateway logs
This document describes how you can collect Mimecast Secure Email Gateway logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser with the MIMECAST_MAIL
ingestion label.
Configure Mimecast Secure Email Gateway
- Enable logging for the login account.
- Create the API application.
- Get the application ID and application key.
Enable logging for the login account
- Sign in to the Mimecast Administration console.
- In the Account menu, click Account Settings.
- Expand Enhanced Logging.
- Select the types of logs to enable:
- Inbound: logs messages from external senders to internal recipients.
- Outbound: logs messages from internal senders to external recipients.
- Internal: logs messages within internal domains.
- Click Save to apply the changes.
Create the API application
- Sign in to the Mimecast Administration console.
- Click Add API Application.
- Enter the following details:
- Application name.
- Description for the application.
- Category: Enter one of the following categories:
- SIEM Integration: provides real-time analysis of the security alerts generated by the application.
- MSP Ordering and Provisioning: available for select partners to manage orders in the MSP Portal.
- Email / Archiving: refers to messages and alerts stored in Mimecast.
- Business Intelligence: enables application's infrastructure and tools to access and analyse information to improve and optimize decisions and performance.
- Process Automation: allows for automation of business processes.
- Other: in case the application doesn't fit within any other category.
- Click Next.
- In the Settings section, enter the following details:
- Developer Name: name of the developer of the application.
- Email: email address of the developer of the application.
- Click Next.
- Review the information displayed on the Summary Page.
- To fix errors, follow these steps:
- Click Edit buttons next to Details or Settings.
- Click Next and go to the Summary page again.
Get the application ID and application key
- Click Application and then click Services.
- Click API Application.
- Select the created API application.
- View the application details.
Creating API access and secret key
For information about generating access and secret key, see Creating User Association Key.
Configure a feed in Google Security Operations to ingest Mimecast Secure Email Gateway logs
- Click SIEM Settings > Feeds.
- Click Add New.
- Enter the Feed Name.
- Select Third Party API as the Source Type.
- Select Mimecast as the Log Type to create a feed for Mimecast Secure Email Gateway.
- Click Next.
- Configure the Authentication HTTP header by providing the application ID, access key, secret ID, and application key.
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser extracts key-value pairs from Mimecast email server logs, categorizes the log entry stage (RECEIPT, PROCESSING, or DELIVERY), and maps the extracted fields to the UDM. It also performs specific logic to handle security-related fields, determining the security result action, category, severity, and related details based on values like Act
, RejType
, SpamScore
, and Virus
.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
acc |
metadata.product_log_id |
The value of acc is mapped to metadata.product_log_id . |
Act |
security_result.action |
If Act is "Acc", the value is "ALLOW". If Act is "Rej", the value is "BLOCK". If Act is "Hld" or "Sdbx", the value is "QUARANTINE". |
AttNames |
about.file.full_path |
The AttNames field, after removing quotes and spaces, and splitting by commas, is mapped to an array of about.file.full_path objects. |
AttSize |
about.file.size |
The value of AttSize is converted to an unsigned integer and mapped to about.file.size . |
Cphr datetime |
metadata.event_timestamp |
The value of datetime is parsed as a timestamp and mapped to metadata.event_timestamp . |
Delivered |
Not Mapped | Used to determine the stage and product_event_type . |
Definition |
security_result.summary |
The value of Definition is mapped to security_result.summary . |
Dir |
network.direction , security_result.detection_fields |
If Dir is "Internal" or "Inbound", the value is "INBOUND". If Dir is "External" or "Outbound", the value is "OUTBOUND". Also added as a detection field with key "network_direction". |
Err |
security_result.summary |
The value of Err is mapped to security_result.summary . |
Error |
security_result.summary |
The value of Error is mapped to security_result.summary . |
fileName |
principal.process.file.full_path |
The value of fileName is mapped to principal.process.file.full_path . |
filename_for_malachite |
principal.resource.name |
The value of filename_for_malachite is mapped to principal.resource.name . |
headerFrom |
network.email.from , security_result.detection_fields , principal.user.email_addresses |
The value of headerFrom is mapped to network.email.from if Sender is not a valid email address. Also added as a detection field with key "header_from". If neither Sender nor headerFrom are valid email addresses, then headerFrom is not mapped to network.email.from . |
IP |
principal.ip or target.ip |
The value of IP is mapped to principal.ip if the stage is "RECEIPT" or to target.ip if the stage is "DELIVERY". |
Latency md5 MsgId |
network.email.mail_id |
The value of MsgId is mapped to network.email.mail_id . |
MsgSize |
network.received_bytes |
The value of MsgSize is converted to an unsigned integer and mapped to network.received_bytes . |
Rcpt |
target.user.email_addresses , network.email.to |
The value of Rcpt is mapped to target.user.email_addresses and network.email.to . |
RcptActType RcptHdrType Recipient |
network.email.to , target.user.email_addresses |
The value of Recipient is mapped to network.email.to if Rcpt is not a valid email address. |
RejCode |
security_result.description |
Contributes to the value of security_result.description in the format "RejCode= |
RejInfo |
security_result.description |
Contributes to the value of security_result.description in the format "RejInfo= |
RejType |
security_result.description , security_result.category , security_result.category_details , security_result.severity |
Contributes to the value of security_result.description in the format "RejType=security_result.category and security_result.severity . Mapped directly to security_result.category_details . |
Route |
security_result.detection_fields |
Added as a detection field with key "Route". |
ScanResultInfo |
security_result.threat_name |
The value of ScanResultInfo is mapped to security_result.threat_name . |
Sender |
network.email.from , security_result.detection_fields , principal.user.email_addresses |
The value of Sender is mapped to network.email.from . Also added as a detection field with key "Sender". |
SenderDomain sha1 |
target.file.sha1 |
The value of sha1 is mapped to target.file.sha1 . |
sha256 |
target.file.sha256 |
The value of sha256 is mapped to target.file.sha256 . |
Size Snt |
network.sent_bytes |
The value of Snt is converted to an unsigned integer and mapped to network.sent_bytes . |
SourceIP |
principal.ip |
The value of SourceIP is mapped to principal.ip if the stage is "RECEIPT" and IP is not present. |
SpamInfo |
security_result.severity_details |
Contributes to the value of security_result.severity_details in the format "SpamInfo= |
SpamLimit |
security_result.severity_details |
Contributes to the value of security_result.severity_details in the format "SpamLimit= |
SpamScore |
security_result.severity_details , security_result.severity |
Contributes to the value of security_result.severity_details in the format "SpamScore=security_result.severity if RejType is not set. |
Subject |
network.email.subject |
The value of Subject is mapped to network.email.subject . |
TlsVer URL UrlCategory UseTls Virus |
security_result.threat_name |
The value of Virus is mapped to security_result.threat_name . |
N/A | metadata.event_type |
Set to "EMAIL_TRANSACTION" if either Sender or Recipient /Rcpt are valid email addresses, otherwise set to "GENERIC_EVENT". |
N/A | metadata.vendor_name |
Always set to "Mimecast". |
N/A | metadata.product_name |
Always set to "Mimecast MTA". |
N/A | metadata.product_event_type |
Set to "Email |
N/A | metadata.log_type |
Always set to "MIMECAST_MAIL". |
N/A | security_result.severity |
Set to "LOW" if has_sec_result is false. Otherwise, determined by RejType or SpamScore . |
Changes
2023-03-31
- Enhancement-
- Mapped "filename_for_malachite" to "principal.resource.name".
- Mapped "fileName" to "principal.process.file.full_path".
- Mapped "sha256" to "target.file.sha256".
- Mapped "sha1" to "target.file.sha1".
- Added conditional check for "aCode".